Hi, I'm investigating the changes that we will need for production use of website code base utilizing Struts2..
1) ========================= First of all, we are still using 2.0.x series Struts2. From what I can tell this means we are theoretically vulnerable to http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html although this isn't made clear on http://struts.apache.org/2.0.14/index.html However, although I have successfully reproduced CVE-2010-1870 on a Windows environment, I have been unable to reproduce it on any of our Linux environments. I don't understand why they would be immune to the attack and would be very interested in finding out if the attack should still be reproducible or if anybody else has seen similar behaviour on any version of Struts2. 2) ========================= Secondly, we haven't applied any "Freemarker" configuration settings as advised here http://struts.apache.org/2.0.14/docs/performance-tuning.html I think it was probably assumed that because we use JSP/Struts2 tags that there wouldn't be any Freemarker to configure. However, I have seen Freemarker engine classes in thread dumps and given the following Struts 2.2 only advice here, http://struts.apache.org/2.x/docs/javatemplates-plugin.html it looks like we should i) Create a freemarker.properties file in your WEB-INF/classes directory. ii) enable Freemarker template caching Is that correct? 3) ========================= Finally, I fully expect any reply to this email to start by telling me that we should upgrade to Struts 2.2.1. Would anybody be kind enough to venture a rough guess of how difficult that would be for us and how much of a performance increase it could give us. We seem to, i) have quite a few custom interceptors and chains ii) make extensive use of most S: and SS: tags in jsp. Apologies for the interconnected series of questions. Thank you so much for your time if you are able to answer or comment on any part of them. Regards Caoilte O'Connor --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
